Monday, February 01, 2016

Reading list: Hoofnagle on FTC Privacy Law

Review copy. The book will be available
on Amazon Feb. 5.This is a detailed,
clearly written guide to the FTC, with specific attention to its privacy
practices but including an extensive discussion of its overall history and
jurisdiction, at least on the consumer protection side; the antitrust side receives
much less attention, which is not a complaint (at least not from me!).I learned a lot, and I’m going to recount
some of the highlights.

Hoofnagle regards the FTC’s activities, mostly through
settlements, as “the most important regulation of information privacy in the
United States,” likely to be so for the near future given our choked-off
political system. Nor is rulemaking a
possibility, given the special, non-APA legal regime that makes rulemaking
incredibly difficult for the FTC.And
that incrementalism is not a bad thing: he thinks the FTC is well-positioned to
meet the challenge, having “matured into a careful, bipartisan, strategic, and
incrementalist policy actor.”

Because its regulatory scope is so broad, it hasn’t been
subject to capture by any particular industry, and has been able to target the
biggest actors in relevant markets. When
it goes too far, it risks a Congressional backlash, but it is also constantly under
pressure to prove its worth.First by
using its deception authority, and increasingly with unfairness, the FTC has
pushed companies to improve privacy policies substantively, which is needed
since mere disclosure, we know, doesn’t change a thing.Hoofnagle regards the fact that the FTC isn’t
constrained by common-law requirements like a specific harm to an identifiable
person as its great strength, and rejects the idea that the FTC should have to
follow common-law harm principles.His
emphasis on the desirability of a reasonably active regulator to protect well-behaved
businesses against outliers in their own fields is welcome; business interests
are not libertarian interests.

Hoofnagle goes into great detail about the structures of the
FTC, with both practical and ideological effects.He identifies a tension between “legal, more
moralistic culture” of the Bureau of Consumer Protection and the economists—the
former “view a misrepresentation as an inherent wrong,” while the latter want
harm outside of that before the government should act.He views the FTC’s history as one of
continuity, arguing that the FTC has always been a technology agency responding
to new developments in marketing and otherwise.

Not everything is perfect.In the past decade, only about 25 percent of FTC judgments and settlements
result in full payment, due to resistance by companies (one $16 million case
required subpoenaing sixty-four different entities and getting thirty-five garnishments);
lack of money remaining in the hands of fraudsters; and asset hiding. This fact serves as a good reminder that the
FTC goes after some truly bad actors, which is one reason that case law is
generally so favorable to the FTC; the incorrigible/litigious respondents “create
terrible precedents for other companies.”At the same time, the FTC has trouble enforcing consent orders, because
courts

require the FTC to prove by clear and convincing evidence
that the respondent has violated an express and unequivocal command in order to
find contempt.Where the issue is
something like privacy, it’s difficult to reach the right level of specificity:
“respect consumer privacy and … secure data” are hard obligations to
define.Google, which is under 20 years
of monitoring for its ill-fated Buzz initiative, promised to create a
“comprehensive privacy program that is reasonably designed to address privacy
risks related to the development and management of new and existing products
and services for consumers.” Hoofnagle
points out thatthis order could be
complied with “substantially” and “still be inadequate to protect privacy in a
meaningful way. … [A] weak or partial embrace of the duty may be practically
difficult to police.”

When it comes to privacy, Hoofnagle argues that the FTC’s
broad authority to police unfair and deceptive trade practices can take it very
far.Deception is available in at least
some circumstances, where people are misled into a false sense of security.Historically, he contends, the FTC has begun
regulatory interventions with its deception authority, moving towards
unfairness when market manipulations become more subtle and hard to deem
deceptive, which is what is happening with privacy now.The more companies write their contracts to
excuse themselves from any constraints in the fine print, the more of a role
unfairness, and generalized consumer expectations, will have to play in
enforcing privacy protections.

One example of the use of deception is when, in part to
stave off government action, industry engages in self-regulation.Then, violations of self-regulatory rules can
be enforced under the FTC’s deception authority.Self-regulation also avoids First Amendment
challenges and may be appealed to as reasonable standards of industry behavior
when the FTC goes after outliers under its unfairness authority.“Perhaps for these reasons, the FTC exhibits
a kind of credulity when new groups appear claiming to represent entire
industries and claiming a commit ment to a set of rules. To privacy advocates,
this activity is galling and empty, but to the Commission the industry has just
rested its foot in a trap.”

Hoofnagle makes the conventional arguments against
disclosure as sufficient to protect privacy such as the failure of disclosures
and the third-party problem of information collection/use by third parties with
no relation to the consumer or reputational checks on their behavior (think
collection agencies or the servicing agent for your mortgage).He draws on Gordon Hull’s argument that
current neoliberal ideas treat privacy as an individual economic choice,
setting people up for failure (because self-management of privacy is impractical).Individualization obscures the true social
nature of the problem.

However, Hoofnagle doesn’t think that privacy law is the
appropriate place to deal with discrimination in credit offers or pricing based
on individualized targeting.Price
discrimination, he says, is about power, and information companies are natural
monopolies. Therefore, competition policy, rather than privacy law, is the
place to work on disturbing uses of data to discriminate on price.

Later chapters discuss specific areas of privacy, such as
children’s privacy/COPPA, where fears for children’s safety “caused Congress to
build a framework with scant regard to how children might want to use
interactive services.” COPPA created incentives to develop services that are
one-way, television-like broadcasting services. Designers do this because
interactivity triggers

legal duties under COPPA, but it makes the information
environment less healthy. Children also learn to lie about their age in order
to join fun, highly interactive services that are supposedly only used by
adults.

There are good parts of COPPA, Hoofnagle contends, but they
should be available to everyone, not just kids: “the allocation of privacy
responsibilities for the behavior of vendors, such as third-party trackers, to
the service; limitations on how data can be used; limitations on tracking;
rules on how much data can be collected; a regulatory incentive for contextual
advertising and against behavioral tracking; and ceilings on how long data can
be retained.” These non-consent related
provisions, he concludes, provide much more protection for privacy than
parental consent does.

Information security cases raise both deception and
unfairness concerns.Hoofnagle relies on
Ross Anderson’s argument that, even in competitive markets, insecure products
tend to drive out secure ones because of first-mover advantage. Consumers have
trouble evaluating security, and don’t rank it highly when choosing products;
it’s a latent safety defect.Companies
often build security into products “to transfer risk to others, or to enable
differential pricing, or to cause customer lock-in, such as through digital
rights management technologies.” For
example, for credit cards, issuers have successfully defined the problem of
fraud as one of merchant security, putting a “Sisyphean” burden on merchants: keeping
a widely shared number secret. A more
comprehensive approact to the structure of payment systems would define and
deal with the problem differently.Hoofnagle argues for a public health-type approach, dealing with
insecurity as a collective action problem.

Anti-marketing laws, e.g., anti-spam laws: Here I learned of
research by Brian Krebs asking why anyone
buys from spammers.He looked at records
from a large online pharmaceutical sales network and interviewed 400 purchasers.
Many couldn’t afford the US prices of
drugs—they could save hundreds of dollars per month to treat chronic
conditions, and get Indian drugs that looked just the same as those from the
local pharmacy (perhaps because most of those drugs are made in India too). Others
were embarrassed to see a doctor; thought it was more convenient to
self-diagnose and buy treatments online; or couldn’t get legal prescriptions
because they were dependent on the drugs.This too seems like a series of political problems.But because spammers benefit, they impose
huge externalities on the rest of us: $20 billion estimated annually, for
revenue for spammers of $200 million a year.This is apparently an externality ratio greater than that for auto theft.Worse, techniques created to spread spam
create an infrastructure for other malicious software.

Hoofnagle briefly addresses Eric Goldman’s arguments that we
should like ad targeting because then we’d only see information useful to
us.Among other things, he makes the
nice point that no commercial entity will have the incentive to develop such a
filter, to which we provide input about our preferences, so long as data about
us are readily available other ways and we have no legal means to stop
that.Goldman’s related critique that Do
Not Call isn’t granular enough to let through calls people really would want is
not persuasive—not only is it outrageously popular, suggesting a revealed
preference for not getting the calls, the cost of erecting a screen and
choosing which you might be interested in—even if you could really figure that
out in advance—is itself a cost consumers don’t want to bear.

Hoofnagle also sounds the alarm about First Amendment
constraints on regulation.Since we
don’t have to worry any more about paying for each email we receive,
regulations may not seem justified under the strict standards the Court now
applies, even if we don’t want all this spam.I would have liked a bit more First Amendment analysis, fitting
Hoofnagle’s policy arguments into the First Amendment scheme.

Financial privacy: I didn’t know that other countries, such
as France and Australia, don’t have the kind of credit reporting we do, where
all our transactions are tracked. They only create records when there’s
nonpayment—and yet, Hoofnagle notes, France and Australia are modern markets.The US, by contrast, uses a model of “total
surveillance. It gives individuals incentives to pay bills on time – and to
have them monitored by [Credit Reporting Agencies] – in order to have a report
dominated by positive information.”He
doesn’t mention this, but that also puts priority on participating in the
formal economy.

He also notes the history of financial entities putting lots
of people at risk because it paid them to do so, with prescreened credit offers
that could be swiped out of people’s mailboxes.To check your credit report/opt out of offers, you need to provide your
Social Security number—but business users can search for you using your name
alone, without that number. “This dynamic is typical for opt-out schemes –
opting out is subjected to higher security requirements than the much riskier
act of delivering a full consumer report to a business.”

Hoofnagle suggests that financial privacy laws could be
protected somewhat against First Amendment challenges by tying immunity for
credit report providers from tort suits to the burdens of the law—if they
aren’t going to be required to protect consumers’ ability to access and contest
credit reports, and to omit information that’s old or contested, then they
shouldn’t get federal preemption of negligence and other tort claims.

International privacy efforts: Unfortunately, the US-EU Safe
Harbor rules were invalidated just as this book was going to press, so most of
it discusses the situation as if the Safe Harbor existed.Hoofnagle sets out the different US and EU
approaches, based on different history and values:

The atrocities committed during the
Holocaust were assisted through information technology, and private companies
were complicit in Nazi activities. Furthermore, the penetration of reliable
census-taking activities is one explanation of why so many Dutch Jews were
killed in the Holocaust while nearby countries with fewer information collection
activities had higher rates of Jewish survival. Stasi and Communist tracking of
individuals and their social networks, and citizens “informing” on others reinforced
the lesson that information can become a tool of oppression.

But he cautions against understanding the European approach
as simply fear-based.Instead, European
values of respect for private life and individual dignity reflect a positive
view of the self as well.

I was particularly interested in his description of
conflicting legal cultures: “US lawyers seek rules that will help bring clients
into full legal compliance. But international rules are often stated as
general, high-level principles for data handling. Read literally, these rules would
be impossible to implement because they would regulate personal,
inconsequential matters.”E.g., data
protection laws, on their plain terms, make many a Facebook post unlawful (and
there’s at least one woman who was held liable for doing just that). So US
lawyers, who often want to be within the law, look at European law and say it’s
impossible, especially given national variations.Mostly, he suggests, European regimes want
“good enough” privacy, like “good enough” parenting, but that’s really hard to
define in advance.And the privacy
version of the precautionary principle—delete data after a reasonable time, and
don’t do new things with them without consent—conflict with the Silicon Valley
approach of collecting information now and figuring out how it might be
valuable later.

Turning to the future, Hoofnagle endorses the approach of
David Vladeck (my colleague), who suggested that the FTC would include threats
to individual dignity as one reason it might choose to pursue a case.“Harm supporters reacted hysterically,
labeling Vladeck’s views emotional, questionable, vague, nontraditional, and
subjective…. In critiquing Vladeck, harms-based supporters almost always put
dignity in quotes, as if it were some Germanism.”But dignity, Hoofnagle notes, is a good way
to describe why people seek privacy (and why they don’t generally poop in
public).Being spied on in your own
home—as actually happened to some people in cases pursued by the FTC—isn’t
primarily or measurably an economic invasion.

In his view,

the FTC’s case selection is causing
American law to converge with some European norms. For instance, the FTC’s
matters concerning malware reject traditional contract notions in favor of fairness
principles that one would expect from European consumer protection efforts.
Similarly, FTC actions against companies that collect information for one specified
purpose and resell it for another reflect European ideals of purpose specification
and limitation. Finally, the US–EU Safe Harbor Agreement itself, while only
legally applicable to Europeans’ data, causes some companies to extend Continental-style
protections to American consumers.

The Bureau of Economics is, in Hoofnagle’s view, a barrier
to more effective FTC policies on privacy.The BE doesn’t generally see privacy violations as having an economic
value, and “it perceives there to be no market for pro-privacy practices.”Hoofnagle suggests ways that a more dynamic
market for privacy might be encouraged and value.For example, there is a “privacy
differential” between the policies of free, consumer-oriented services and
for-pay, business-oriented services, and the value of that differential to
consumers could be studied. This could result in disgorgement and restitution
penalties for violations of the FTCA.More aggressively, the BE could help change the incentives of industry
participants who lack incentives to protect privacy. Hoofnagle analogizes to
the market for auto safety:

automakers once claimed that consumers
did not really care about safety, that consumers chose cars based on appearance,
and that auto safety was the domain of a small group of malcontents. In the
1950s, there was no ability to express a preference for safety, but once seat
belts became an option, they proved tremendously popular. The BE could be part
of a movement to create the “seat belt” for internet commerce.

I love analogies, but I’m not sure how exactly this would
work, because understanding the options is probably always going to be
difficult, by Hoofnagle’s own account of consumer decisionmaking.But Hoofnagle has more practical suggestions,
too.He suggests drawing on methods used
by the plaintiffs’ bar for measuring how consumers conceive of the value of
personal information:

For instance, in one case involving
illegal sale of driver record information, an economist polled citizens to
explore what kind of discounts they would accept in renewing their driver’s
license in exchange for this information being sold to marketers. While the
market valued the information at $0.01 per record, 60 percent of respondents
said they would reject an offer of a $50 discount on their license in exchange
for allowing the sale of their name and address to marketers.

Most importantly, however, Hoofnagle advocates that the FTC
should reject any return to the “common law,” which means limiting FTC action
to addressing pecuniary injuries.(As he
points out, the common law also provides criminal punishment for frauds on the
public, which the proponents of harm requirements don’t support.)Affronts to dignity and violation of consumer
expectations also deserve protection.And this means a willingness to use the unfairness power to address
inherent wrongs.The FTC has begun to do
this with awful behavior like revenge porn sites, and with spyware, and he
contends it should do more.For example,
he considers Facebook to be an “information-age bait and switch.”After consumers had become locked into the
platform, it changed its privacy policies to make us far more exposed, relying
on its market dominance to keep defections to a minimum.

As part of this regulatory attention, privacy advocates will
have to hold their own in cost-benefit analyses.Hoofnagle argues that deregulation advocates
produce biased work that ignores the externalities of privacy intrusions, such
as the disruption caused by telemarketing calls and the costs of developing
technologies such as caller ID to fend them off.Privacy-side work could provide a fuller
picture of the externalities and transaction costs to consumers of ugly
industry practices.

Creative Commons/disclaimer

Text on this blog is licensed under a Creative Commons Attribution 2.5 License. Pictures and works quoted may be subject to other parties' copyrights.
I speak for myself. On this blog, I do not and cannot speak for Georgetown Law, the Organization for Transformative Works and/or AO3.